What's Evercookie? Mitigations techniques included.

  • Article

H3LL0,

"C is for Cookie. That's good enough for me. Cookie, cookie, cookie starts with C" sings the Cookie Monster from Sesame Street.

Let's imagine Cookier Monster started learning hacking techniques then he found a way to make a cookie very durable and persistent. So after he ate a cookie: surprise! It's come back again! Can you imagine Cookie Monster singing a new version of the song?

"C is for Cookie but isn't Enough for me. Evercookie, cookie, cookie starts with "E".

On this post I have listed the top 10 Web hacking techniques in 2010 where Evercookie occupies the 2nd place. We are almost in 2012 and Evercookie stills making the happiness of the Cookies' Hacking monsters.

What's Evercookie?

Evercookie is a Javascript API available that produces extremely persistent cookies in a browser. It has a 'mission': identify a client even after they've removed standard cookies, cookies produced by Flash (Local Shared Objects or LSOs), by Silverlight Isolated Storage, and others.

Evercookie successfully does that by storing the cookie data in several types of storage mechanisms that are available on the local browser. Thus, if Evercookie has found an user has removed any of these types of cookies at hand, it will recreate them using each available mechanism.  (Source: https://samy.pl/evercookie )

Which storage mechanisms will be used by Evercookie when creating a new cookie?

     - Standard HTTP Cookies
     - Local Shared Objects (Flash Cookies)
     - Silverlight Isolated Storage
     - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas
        tag to read pixels (cookies) back out
     - Storing cookies in Web History
     - Storing cookies in HTTP ETags
     - Storing cookies in Web cache
     - window.name caching
     - Internet Explorer userData storage
     - HTML5 Session Storage
     - HTML5 Local Storage
     - HTML5 Global Storage
     - HTML5 Database Storage via SQLite

A sample of the Evercookie Javascript API working:

var ec = new evercookie();

ec.set("uniqueid", "51555"); // set uniqueid = 51555

// get our evercookie data back
ec.get("uniqueid", function(val) {alert("ID is " + val)});

Some techniques to kill Evercookies:

1) Open a new tab then close all other windows and tabs

2) Delete Silverlight Isolated Storage
    - Go to https://www.silverlight.net
    - RIght click on Silverlight application (any app will do)
    - Silverlight Preferences -> Application Storage -> Delete all...
    - Click on "Yes"
    - Optionally you can disable this: "Enable application storage"

3) Delete Flash Local Shared Objects (LSO)
    - Go to the Flash "Website Storage Settings panel"
    - Click "Delete all sites"
    - Click "Confirm"

4) Clear Browsing Data
    - Depending of your browser these options below are available in a different place, but in general is:
    - Tools -> Clear Browsing Data...
    - Under that you must Select all options available
    - Clear data from this period: Everything
    - Click "Clear Browsing data"

5) Look for available and safe Plug-ins to extend Private Browsing's feature in your browser

6) Use a Virtual Machine configured to not save data after turning off (Read only mode)

I want to say thanks to Jeremiah Grossman for a session in the  BlueHat V11 where he explained very well this topic.

"E is for Evercookie. That isn't enough for me. Cookie, cookie, cookie restarts with E" by the imaginary Evercookie Hacking Monster.

regards,

Marins